Even if we found a planet as pleasant as our own it could be inhabited by a bunch of monkeys and that is it. Or, just birds, rats and snakes.
There are lots of planets out there. But, we just do not know how difficult it is for a planet to support the wide range of organisms (life) we have here.
Remember the days when we thought Martians might be green, 3 feet tall and have antlers? Well. Today we consider ourselves lucky to find out that Mars has water. Or once did.
There may be other planets with life. But, I would guess we find thousands if not millions of them with life (just not intelligent) before we find anything close to what we have. And, we have yet to find the first of those. Well, maybe some can claim that something was living on Mars at one time. But, there is a big difference between "something alive" and intelligent life. Yes, I know we sometime suggest that some individuals do not express that difference very well.:-)
But, submitting a motion with bad or inappropriate authority is bad lawyering.
Microsoft does have high-priced lawyers. And, this judge knows that. It is quite clear in her memorandum that she was biting her tongue when she refused to accept their arguments. And, they came up some rather horrible arguments and logic.
I do not have any doubt that she will seriously question any of their authorities from here on. Perhaps she has already reached that point.
And, I would agree that this judge knows that nothing is coming before her because of incompetence.
I also think there are two evidentiary matters that have bothered the judge. One is the obviously fabricated "removing icons means code is now uncommingled" testimony parroted by no less than 3 witnesses including Gates himself. Even the economists claimed that the icon removal was in response to the commingling violation. And, he not a technologist nor a lawyer but rather an economic expert. And, I can not imagine how an economic expert can reach any such conclusion or testimony. And, clearly Gates knows the difference between code and icons.
The other evidentiary matter was the clear refusal by the Microsoft economist to accept the decisions of the appellate court. Much of the so called expert economic testimony (at least much of the cross examination) dealt with conclusions on his part that contradicted the decisions of the appellate court. And, if there is one thing that judges are expert at, it is knowing when conflicting legal views or arguments are being made. And, the poor guy claimed to be abiding by the appellate decision while clearly testifying to the contrary. And, that kind of stuff you will never slip by a judge.
There was other interesting evidence which the judge may or may not have picked up on. Allchin claimed that one of the reasons that the SUN JVM was not included with XP was because of the GPL. Well. The GPL has not really be discussed in this case. The judge may or may not know what the GPL is. Much less whether it relates to this case. Of course, if has nothing to do with SUN's JVM. And, you have to bet that Allchin knew that the GPL has nothing to do with Microsoft decisions in regard to Java. I was just false testimony for the purpose of defrauding the court as to the reasons the JVM was not being distributed. If the SUN lawyers are watching, they will bring up Allchins testimony in their case and ask him to explain what the GPL has to do with the SUN JVM.
It is true that the attempted monopolization and tying issues were dropped by the DOJ and the States. Actually, the attempted monopolization issue was decided without remand in the favor of Microsoft. But, that decision does not foreclose AOL and SUN from charging Microsoft with attempted monopolization in their own private law suits. SUN actually assumes that IE is now a monopoly product and the AOL suit charges Microsoft with attempted monopolization.
Of course, Microsoft will publicly claim they were released of that charge by the appellate court. But, that is not true. At the time the appellate court reviewed the record, IE only had about a 50% share of the market. So, it was appropriate for the appellate court to decide against the DOJ on that issue. Facts are now completely different with the IE share near 95% or so. Plus, AOL now knows precisely what this appellate court wants to see by way of evidence for attempted monopolization.
As for the tying issue, that charge was remanded. But, neither the plaintiffs nor defendants wanted to take up that issue on remand. They could have but decided not to do so.
To be honest, the tying issue is better taken up by the AOL and SUN law suits anyway. AOL (same federal district) will have any appeal reviewed by the same court as the DOJ case. But, the SUN law suit is filed in the 9th Circuit. So, SUN and Microsoft will be appealing to a different appellate court. And, there is no telling whether they will agree on the law. The 9th circuit may like the per se tying argument and they may find that the rule of reason test is also met.
And, that leaves open the possibility that both the DOJ case and the eventual SUN case will be appealed to the US Supreme Court on the basis that two federal districts have arrived at different legal conclusions as to tying.
This means that the tying issue could actually remain unresolved for another 5 years or more despite the fact that the appellate court in the DOJ case decided that per se tying was not appropriate.
That is the problem with the scorched earth approach to litigation. It does have a tendency to piss off the judge. And, no judge wants to waste their time handling worthless motions.
But, I have a feeling that this judge is really upset about the apparent disrespect for the opinions of the appellate court in this case. And, it is not just the issue of the States' ability to proceed with the case.
Many of Microsoft's witnesses presented testimony that clearly disagreed with the opinions in the appellate decision.
The most blatant is the falsely fabricated response to the commingling issue.
The commingling issue was clear in the original appellate decision and Microsoft even asked the appellate court to revisit that issue. And, as I recall they appealed to the Supreme Court on that issue as well. It was not taken up a second time by the appellate court (they were already en banc) and it was ignored by the Supreme Court.
So what did Microsoft's lawyers do?
They instructed Gates and at least two other witnesses to claim on the stand under oath that removing icons somehow mysteriously uncommingled the code. Now, I can understand how a simple untrained consumer might confuse icons with commingled code. But, no technologist of any education at all should do so. And, since the fake stories were precisely the same it was clear that the lawyers told Gates and the others what they should say. It was as bad and obvious as the old Perry Mason shows when 3 witnesses strangely came up with the same illogical story. It makes it very clear that it is fabricated to cover the truth. And, the truth in this case is that Microsoft fully intended to fail to honor the decision of the appellate court in regard to commingling of code. No one at Microsoft (including the lawyers) can be so dumb as to think the appellate court was talking about icons when they decided that code commingling was illegal in this case. They simply can not be that dumb.
Code commingling is a key issue in this case. By the way, the States' remedy does not require the sale of a bare bones OS. Even it only requires Microsoft to either unbind the middleware so that it can be removed or offer both a bound and unbound version. The appellate decision is not strong enough to require the OS to be sold separately. For that remedy, we will have to wait for the AOL (Netscape) and SUN law suits which have taken up the tying issue. Those cases have also taken up the attempted monopolization issues.
So, Microsoft's antitrust problems do not end with this remedy by a long shot.
The AOL, BE and SUN law suits are each billion dollar law suits. And, they do not include the consumer class action suits which also reach that magnitude.
The damages in the SUN law suit could reach a billion dollars. The damages in the BE law suit could also reach that level. And, the AOL (netscape) law suit could reach 10 billion or more. And, those law suits could enjoin the bundling of IE and the media player with the OS even if uncommingled.
It may not be a deliberate strategy to goad and provoke the judge but when you do not have a case, that is all you can do.
This last motion was not really that out of line but a bit late and incorrect too.
It is common to make motions even when you think that will loose. If you do not make the motion, you can not appeal on the basis that it was denied. And, no doubt that Microsoft will go back to the appellate court and try to get them to remove the States as plaintiffs.
That is not likely to succeed however. You can read the opinion issued by this judge for the reasons. Too little AND too late as well.
But, what is very clear is that Microsoft will harm consumers and preclude competition without any reserve on its part. Consumers and customers simply do not measure up as being important. They are to be screwed with the forced purchase of Microsoft branded products no matter what.
Even Gates on the stand promised to appeal if he did not get his way with the court. So, Gates will continue to screw consumers as long as he possibly can.
The GPL is less restrictive than the limits Microsoft places upon its own code. Heck, they do not even let you see it, much less use it in some meaningful way.
But, that is not what drives Microsoft in their FUD effort.
They just bad mouth the GPL because they refuse to compete on price and performance. They know that for many developers the terms of the GPL are acceptable. Not in all cases certainly. But, you do have the choice not to use it. Microsoft restricts you from seeing it.
Micrsoft even lied in court and claimed the GPL was part of the reason that the SUN JVM was not included with XP. (I guess Allchin is ignorant of the fact that SUN does not use the GPL for Java or its JVM. Either that or he simply can not resist lying if it meant to discredit the GPL. Even if GPL was not an issue in the case.)
If you look at the lies put out by Microsoft, it is clear they could care less whether what they say is true or not. If what they say might tend to keep others away from non-Microsoft technology, they lie about it. It is a symptom of a pathetic liar. The reason some liars are pathetic is because they do not care if what they say is true or not. If it will fool, trick or defaud others they think they gain by that. So, out it comes.
And, you see that same lack of concern in the white paper.
They even claimed that developers turn from Netscape to IE in droves because Netscape was too proprietary? Has any product by Microsoft been less proprietary? Certainly not IE. And, that fake report claimed that was open source developers who moved over to IE for that reason.
Funny that the report failed to mention Mozilla. I guess Mozilla is too new for them. It must have occurred after they wrote their fake research, right?
Netscape in the beginning may have had a proprietary browser but no one I know of ever dropped Netscape in favor of IE because Netscape was proprietary and IE was open.
That report is pure garbage. They lie about basic facts.
No one is more closed about their code than Microsoft. And, suggesting that the open source community flocked to Microsoft because Netscape was proprietary is a joke.
Just where would you be if you slipped in 100 hours of Microsoft proprietary code you got your hands on?
What would that do your 5000 hour product?
The GPL is less disruptive than borrowing other code that comes with limitations.
Besides, if you use code from other sources you certainly should know the impact of doing so. The GPL is not different in that regard.
I guess Microsoft thinks that proprietary code should be outlawed because if it should mistakenly get its way into an application, you could be sued, right?
I am afraid that truth or relevance no longer matters to Microsoft.
What is important is that a so-called independant study bad mouths the GPL. That is the only relevance to this study. It is a study that the Microsoft salesman can use to fool the federal government. And, for the idiots to claim they did this or that because of a study they found.
It does not matter if it is valid. Its mere existance is enough.
Even Allchin (under oath no less) testified that the GPL was one of the reasons that Microsoft did not include a SUN compliant JVM with XP.
What GPL has to do with a JVM from SUN is beyond me. But, that is the lie that Allchin put out to fool the court. And, the GPL was not even an issue in the trial.
I think Microsoft is just spending any money it can on bad mouthing the ideas it does not like. It does not matter if it is true or even relevant.
Besides, some bureaucrats only need a fake excuse anyway.
This fake study is just like the one a few weeks back bad mouthing linux on mainframes. It does not make any sense except the Microsoft salesman will be sure to refer to it during their sales pitches. After all, customers are assumed to be pretty stupid by Microsoft.
I have a application for potential distribution on a grid of PCs.
It is a game of course. So, if you are not into games, read the next post and save your time.
I have taken a look at the Grid Engine put out by SUN and distributed by SuSe. And, I help out SETI. The use of distributed computers to accomplish a very large computational task is intriging to say the least.
The problem is a difficult one however.
The game relies upon a very large data base of information which is not easy to distribute in the normal sense. The reason is that the game is designed to support many players simultaneously and each of those players may make moves that could affect any collection of that data.
I have done a lot of data base work over the years and I have not come up with a way in which the data base itself could easily be distributed. And, since it is just a game, the idea is to use the client PCs playing the game to provide all the horsepower. That makes it difficult because most of the clustered data base solutions otherwise applied to such a problem would rely upon a series of data base servers. And, in this game, that approach would never work. For one the game runs in real time and 24/7 even if a particular player does not. So, in addition to the normal problem of distributing a data base among many machines, the game must also function when any combination of those machines "go away" for awhile at their own discretion.
Complicating it even further is the fact that the versions of the game to date have placed the entire data base in memory in order to maximize performance. And, that means that transactions that take place are not making SQL calls but rather sharing quick access and quick switching of access to the common data base while the game is underway. And, yes, that kind of action is necessary for the game to be realistic.
If you happen to be interested in a real time, space war game that would rely upon a computer grid of some kind please let me know.
By the way, it will be linux based. Maybe I should say "linux only".
I would not conclude that SETI was a meaningless project.
I will readily admit that to this date we have not heard one peep from other intelligent worlds. However, it is much more likely that we will be in communication with other worlds a very long time before any does any visiting in person.
Maybe some do not care whether we are living on the only planet with intelligent life. And, maybe it will not matter to most people if we discovered we could communicate with others. But, there is absolutely no doubt that such a finding would be the most significant in the history of the human race.
Well SETI be the way to make that discovery? No one knows. But, it makes a lot more sense than sending up astronauts in space ships never to hear from them again. And, then looking for additional volunteers for the next flight. That ain't gona work well.
I do find it interesting however that the day or so after the price for StarOffice was announced and Microsoft put up their puff piece about future enhancements to MS Office (vaporware if there ever was any), Microsoft got cremed on the talk back.
Gartner was there with their survey. And, I kindly pointed out that with the 5 install permissions for Star Office an individual user could save over $2000 on day one going with Star Office.
Of course, Microsoft was livid and no doubt called Mr. Dyer to censor my posts. All he could complain about was a simple sinature (same as on here) and something about my not threatening law suits while they continue to take their time deleting offensive posts.
If you had a post deleted, maybe it was an attack. But, my experience has been that offensive posts against myself routinely take 3-4 days to be removed. And, I have repeatedly complained about that. In time there are almost always removed. But, after 3 or 4 days no one is reading the old article and talkback anyway.
Apparently, Mr. Dyer gets offended if you ask him to do his job. If you read his email, he even claims he is being harrassed if you contact him in his capacity as "Community Manager, CNet Networks".
Clearly ZDNet does not want an honest Talkback system. And, clearly CNet does not want any public review of their Community Policies either.
You can read the emails from Mr. Dyer yourself. You have everything I have from him.
I did have one (1) post deleted for being offensive. I told one fellow he looked silly for claiming to know what a document said while at the same time admitting he had not read it. Well. That does make one look rather silly. But, it was deleted anyway and I did not object. They should delete offensive posts. The problem is that they do not apply that policy fairly, accurately or within any reasonable timeframe to be of any value.
And, when you insist they do apply their own standards, they get all huffy and refuse to discuss it.
Claiming they are a tabloid is about right. Some of Mr. Dyer's comments in his email even suggest they engage in censorship and apply their fake Community rules in order to maximize their readership. Well. That alone invalidates TalkBack as being a public forum of any credibility.
They tried for months to simply be slow in deleting offensive posts hoping I would just go away. It was truly an insulting experience. And, when the jerkheads at CNet saw that being lax on their policy against offensive posts was not working, they made up other reasons to ban my posts. Reasons, by the way, which they fail to make clear suggesting it is the end result they seek and do not want to tell anyone the reasons why. The poor guy even mentions email from unidentified individuals as the reason for his policy. This idiot takes orders from unknown people? Or, do you think he is taking orders from people he does know? Either way, it is rather sick.
I guess you did not read the two emails from Mr. Dyer, Community Manager, CNet.
That kind fellow tells others that my posts are highly valued and informative while telling me they are the cause of a drop in readership or a drop in the use of the talkback. So, to pick up things on ZDnet Talkback, censorship needs to be imposed. Read the email from CNet yourself. It is right there on my web site.
Either way, it does not call for censorship. But, neither can they both be true. So clearly CNet is engaged in censorship and they are highly embarrassed by it.
As for the so called deep emotional issues, there aren't any. It is just that I understand the technical issues involved and the harm being caused to consumers and the industry as a whole by the illegal acts Microsoft engages in. And, I detest employees under oath lying through their teeth trying to maintain those illegal acts.
Do you suggest that AOL (Netscape), BE and SUN each have deeply emotional issues to deal with? Do you also suggest that ProComp has deep emotional issues to deal with? Do you think Judge Jackson has deep emotional issues that he should deal with? Do you think that the appellate court has deep emotional issues they should deal with? Do you think that Robert Bork has deep emotional issues to deal with?
Or, do you only intend to insult individuals who happen to think the laws ought to be complied with and comment here?
Not promoting Microsoft and their illegal acts is absolutely not evidence of deep emotional issues. Rather it is indication that one understands all of the issues involved and seriously objects to Microsoft's conduct.
I would suggest that those who look the other way and lie to further Microsoft's interests should be the one consulting with the doctors.
In other words, I am not the one who has a serious problem with the court decisions that have been made to date.
My problem is with the companies that refuse to comply with the federal laws, present false evidence in court and fail to enforce the law when they take a oath to do so.
I guess some people just have to insult others that do not agree with them.
CNet engages in censorship of those not pro-Microsoft.
You think not?
Check out my web site.
My posts have been banned.
But, Mr Dyer, Community Manager for Cnet tells others that he gives great credit to my posts (while there were not being censored) while at the same time he told me the precise opposite.
It is dead obvious that CNet engages in censorship to restore their pro-Microsoft readership. Gosh. Mr. Dyer even wanted to blame me for the drop off in ZDnet readership and Talkback.
I guess CNet thinks that supporting the violation of federal law and banning anyone who objects is good for their business relationship with Microsoft?
Read the emails for yourself. There are all public.
Sure but the source code being available makes it relatively simple.
That is why it is flat wrong to conclude the source being present or not is not a factor.
It clearly is a factor. They simply are not equivilent risks. That does not mean you can not adjust for the differences. But, you do have to know what the differences are. And, you have to know how much easier it is when source code is available.
Everyone knows it is easier with the source. That is a given.
Why some want to claim that fact does not exist is beyond me. It does exist. Any one who has done any programming what so ever knows that. And, the fact that source does exists lowers the level of difficulting in carring out some kinds of attacks.
Being possible without the source in no way equates the risk. That would be like saying that hanging a key outside the locked door is no more secure because someone could just pick it anyway.
Security is not an absolute concept at all. It is a relative concept. Suggesting that two unequal risks are the same only avoids the issue and leaves many people thinking they are more secure than they really are.
In security, the very first and most important step is to identify "correctly" what the risks are that you face. If you fail to do that, then you also fail to protect against those risks.
The security model for an open source OS should be the same as the security model for in-house developed custom applications where source code is also kept.
It is not a matter of blowing off some things if the source is closed.
If however, you do not have the source code (and no one else does either), then you may not need to address those security precautions related directly at source code.
For example: How do you know that no one inside the company has modified your custom apps to permit embezzlement?
Some companies do nothing. And, some companies pay the price for not doing anything. But, most companies of any significance pay close attention to the code that is used to compile their key applications. And, that is because control over that code has been deemed necessary. That does not change just because it is an OS.
There are many similarities in security risks that do not differ because of the source being available or not. But, that observation does not prove that there are not also a number of factors that do differ because of the source. The availability of source does create some risks.
That is why I have to keep saying that you need to look at the procedures you employ for dealing with the custom source code you may have rather than procedures for products on which you do not have source code. And, it is not just whether you have the source. If the source is publicly available, you have it too. And, that presents the problem. You now have to deal with it.
It may be bit of an absurd observation, but.... what if the cleaning lady that comes in at night has full and complete access to the source code for your key custom applications? Would that concern you? What procedures would you put into place such that your exposure is minimized? Yes, the cleaning lady may not be a hacker, but she can get her hands on the Redhat source code. And, what about the guy who replaces the water bottles or restocks the cola machine? Does that fellow have copies of the source code for your custom applications (or OS)?
Is this FUD? Well, yes, sort of. But security is based entirely upon FUD anyway. And, when we understand the risk, we do something about it. Many communities do not require residents to lock their back door, right? But, many communities do require that. And, when do the doors get locked? It is when fear, uncertainty and doubt shows up.
This is not something that can not be addressed. It is already addressed with the source code for custom applications we develop in-house. And, that is why that process has to be looked at for the model. Looking at the security model for products on which no one has the source is the wrong approach. And, claiming the security issues are identical between open and closed source is also incorrect. Whether you have the source makes a difference for key applications you develop and/or use. And, the same applies to your OS if you (or anyone else) has the source for it.
And, we need to distinguish between the relative benefits of an open and closed model used for development of technology versus the relative benefits of open and closed models for systems being implemented.
You say, "Source is irrelevant. You think sourceless OS/application suites protects you in some fundamental way. They don't. Others have pointed this out. Though you maintain the difficulty of hacking with a sourceless system, the real world shows that the majority of security exploits occur in closed systems. How do you reconcile this fact with your claims?."
Having access the source is relevant.
It is not a question whether systems with or without source or more or less secure. I do not care about that. In considering appropriate security measures that is also not an issue.
When dealing with security issues you have to address the risk "you actually face". And, if you have the source (or others have the source), the risks are different.
I not not suggest one set of risks is more or less than the other. I only point out the "sets" differ.
Sure, you can attack a system that uses closed source. There is no doubt about that. But, that observation has absolutely nothing to do with the risks associated when the source is readily available. You can do different things with the source. You can do some things much easier with the source.
The point being that when source is available the security issues change. That is why the comparison between custom applications and a customizable OS. You simply do not address the security issues created by open source when making references to security issues on closed source. In other words, there could be absolutely no risks with closed source (not the case, of course) and security risks could still exist on open source. How is that? The OS itself can easily be changed. And, in many shops the process of changing the OS could be an active task. And, when it is an active task, certain risks are associated with that task.
Let me put it this way. There are many ways to carry out embezzlement when employees can alter the systems being used. That clearly does not mean that embezzlement can not be taking place on shrink wrapped software. It clearly can. But, the range of possibilities are different. The amount of trust that must be extended is different. And, the number of people who must be extended trust also differs.
As far as the exploits on closed systems, that issue is not relevant to the risks created by the source being available. They are different risks. And, in security you do not solve one problem by addressing an unrelated one. The risk of someone modifying your OS and installing a bogus copy has absolutely nothing to do with the risk of someone hacking into a close source system. They are different exploits. Protecting against one has no bearing on the other.
Protecting against outside attacks has little bearing upon inside attacks.
As for outside attacks, it might be fair to say that security issues are the same or similar for open and closed systems. (not making a judgment as to which is greater) But, that is not the case for inside attacks that might be carried out by disgruntled employees. Or, simply employees who prefer to embezzle to pad their retirement plans.
For inside attacks access to the source code matters greatly as does many other issues (i.e. access to hardware, etc.).
It is simply false to claim that having the source code does not alter your security considerations. It clearly does. All organizations treat their custom applications differently than they treat shank wrapped ones.
You said, "Not the organizations I work with. So you let anyone who feels like it install shrink wrapped software on your systems? You think this is secure? If not, what is the basis for you claim?"
The selection of software you let users install is a separate issue from how you control access to applications and the associated source code. And, I have never said or even suggested that closed source or shinned wrapped software is more or less secure than open source. All I have pointed out is that when you have the source code (or when everyone else has it), the security issues are a different set. How do they differ?
And, I do not make any claim that closed systems are secure or even more secure. I am only pointing out the risks do in fact differ.
It is much easier for anyone to alter what the software does and replace it on your systems.
For example: If you use the Mozilla browser, could someone in your company modify Mozilla such that a record on the side is kept of passwords used by individuals? Well. If Mozilla code is readily available (and it is), all the code is available (and it is) then what is prevent someone (anyone) from writing a custom version of the Mozilla browser to capture that information BEFORE it is sent over the internet? Or, BEFORE it is secured. This may not be a very good example. But, it simply illustrates that the "set of risks" is different when the source code is available.
The risks are not any different than those associated with the custom applications for which everyone does maintain the source. But, they are different than for those products which do not include source code.
Finally, you said "I'm obviously not going to convince you of anything. The real world shows that open applications and OSes can be very secure. Closed systems can also be secure. Or both can be very insecure. It doesn't help your case that the most dominant closed source OS for the last 10+ years has a long historry of extreme security problems. You can not ignore the real world. Your claims, if believed, would only lead people to chose that particular closed source solution over more secure open solutions. How does this promote security? What, exactly, is your motivation?"
I do know that with the source code being readily available, I (or anyone else) can seriously alter what the OS does. And, that can be accomplished in different ways than if it is not.
Recognizing the particular risks associated with the availability of source code does not decide the issue of which products overall are more secure. Neither does it decide that closed source systems are more secure than open ones. I am not making a final judgment or conclusion. I am simply pointing out that the risks are different.
And, in the real world when the risks are different so too are the appropriate responses to those risks in order to minimize possible damage.
My motivation (assuming it matters) is to encourage the adoption of security protocols that accurately reflect the risks that do exist. That is all. I do not doubt for one minute that real advantages are associated with an open (source) development process. There is no doubt about that. But, once the development is completed and implementation begins the risks associated with open and closed source do in fact differ.
How much do they differ? Or, how must security change because of the differences? Well. It may very depend upon the installation.
But, that is why I suggest that the security should be similar to that for custom in-house developed applications where source code is present. That is the appropriate comparison. The wrong comparison is that with closed source systems.
Hey, I happen to think that open source is great. I love to program. I love to develop applications. I do not intend to customize my OS for use by small numbers of individuals or employees. But, I do understand the risks associated with and created by the common availability of the source code for an OS. The risks are the same as those associated with the source code for any key in-house developed custom application. Not different. They are the same. But, they are different than for closed source software.
This is a management issue not a technical one. Too many claim that there are no security differences between open and closed source. That is simply false. As for outside attacks (once the product is compiled) that might be true. But, when looking at issues surrounding inside attacks the differences need to be understood. The industry knows how to deal with the issues. They are dealt with now and always have been. But, the policies related to in-house developed custom applications for which source code was maintained. And, that is the model that must be looked at.
What security do you impose for the source code for custom applications?
Do you control who gets copies?
Do you control who can change that application and replace it?
Why do you think that security for the source code of your OS is any less important than the security for the source code of your key custom applications?
It is not a question of whether open or closed source results in a more secure system. It is a question of how you administer access to your systems and the source code used to change them.
Without the source code you treat your OS much in the same way you treat your shink wrapped applications. Is that different than how you treat custom in-house applications?
With the source code you should treat your OS much in the same way you treat your code for custom applications. Is that different than how you treat shink wrapped applications?
It is simply false to claim that having the source code does not alter your security considerations. It clearly does. All organizations treat their custom applications differently than they treat shink wrapped ones.
The point here is that it does not change simply because the product is an operating system.
No one I know of has ever claimed that they treat security issues related to custom in-house apps in the same way they treat security issues with shink wrapped applications for which they do not have the source code.
You simply can not ignore the fact that the source code is laying around everywhere. If you do, why do you not simply publish the source code for all your custom in-house applications?
To the outside world, it may not matter. But, security issues are not limited to outside world attacks. Neither can you assume that if security issues are the same regardless of open or closed source in regard to outside attacks that the security issues are also identical for inside attacks.
Slashdot Mirror
Even if we found a planet as pleasant as our own it could be inhabited by a bunch of monkeys and that is it. Or, just birds, rats and snakes.
:-)
There are lots of planets out there. But, we just do not know how difficult it is for a planet to support the wide range of organisms (life) we have here.
Remember the days when we thought Martians might be green, 3 feet tall and have antlers? Well. Today we consider ourselves lucky to find out that Mars has water. Or once did.
There may be other planets with life. But, I would guess we find thousands if not millions of them with life (just not intelligent) before we find anything close to what we have. And, we have yet to find the first of those. Well, maybe some can claim that something was living on Mars at one time. But, there is a big difference between "something alive" and intelligent life. Yes, I know we sometime suggest that some individuals do not express that difference very well.
Oh, I have to agree.
I think the motion to dismiss would be fine.
But, submitting a motion with bad or inappropriate authority is bad lawyering.
Microsoft does have high-priced lawyers. And, this judge knows that. It is quite clear in her memorandum that she was biting her tongue when she refused to accept their arguments. And, they came up some rather horrible arguments and logic.
I do not have any doubt that she will seriously question any of their authorities from here on. Perhaps she has already reached that point.
And, I would agree that this judge knows that nothing is coming before her because of incompetence.
I also think there are two evidentiary matters that have bothered the judge. One is the obviously fabricated "removing icons means code is now uncommingled" testimony parroted by no less than 3 witnesses including Gates himself. Even the economists claimed that the icon removal was in response to the commingling violation. And, he not a technologist nor a lawyer but rather an economic expert. And, I can not imagine how an economic expert can reach any such conclusion or testimony. And, clearly Gates knows the difference between code and icons.
The other evidentiary matter was the clear refusal by the Microsoft economist to accept the decisions of the appellate court. Much of the so called expert economic testimony (at least much of the cross examination) dealt with conclusions on his part that contradicted the decisions of the appellate court. And, if there is one thing that judges are expert at, it is knowing when conflicting legal views or arguments are being made. And, the poor guy claimed to be abiding by the appellate decision while clearly testifying to the contrary. And, that kind of stuff you will never slip by a judge.
There was other interesting evidence which the judge may or may not have picked up on. Allchin claimed that one of the reasons that the SUN JVM was not included with XP was because of the GPL. Well. The GPL has not really be discussed in this case. The judge may or may not know what the GPL is. Much less whether it relates to this case. Of course, if has nothing to do with SUN's JVM. And, you have to bet that Allchin knew that the GPL has nothing to do with Microsoft decisions in regard to Java. I was just false testimony for the purpose of defrauding the court as to the reasons the JVM was not being distributed. If the SUN lawyers are watching, they will bring up Allchins testimony in their case and ask him to explain what the GPL has to do with the SUN JVM.
It is true that the attempted monopolization and tying issues were dropped by the DOJ and the States. Actually, the attempted monopolization issue was decided without remand in the favor of Microsoft. But, that decision does not foreclose AOL and SUN from charging Microsoft with attempted monopolization in their own private law suits. SUN actually assumes that IE is now a monopoly product and the AOL suit charges Microsoft with attempted monopolization.
Of course, Microsoft will publicly claim they were released of that charge by the appellate court. But, that is not true. At the time the appellate court reviewed the record, IE only had about a 50% share of the market. So, it was appropriate for the appellate court to decide against the DOJ on that issue. Facts are now completely different with the IE share near 95% or so. Plus, AOL now knows precisely what this appellate court wants to see by way of evidence for attempted monopolization.
As for the tying issue, that charge was remanded. But, neither the plaintiffs nor defendants wanted to take up that issue on remand. They could have but decided not to do so.
To be honest, the tying issue is better taken up by the AOL and SUN law suits anyway. AOL (same federal district) will have any appeal reviewed by the same court as the DOJ case. But, the SUN law suit is filed in the 9th Circuit. So, SUN and Microsoft will be appealing to a different appellate court. And, there is no telling whether they will agree on the law. The 9th circuit may like the per se tying argument and they may find that the rule of reason test is also met.
And, that leaves open the possibility that both the DOJ case and the eventual SUN case will be appealed to the US Supreme Court on the basis that two federal districts have arrived at different legal conclusions as to tying.
This means that the tying issue could actually remain unresolved for another 5 years or more despite the fact that the appellate court in the DOJ case decided that per se tying was not appropriate.
That is the problem with the scorched earth approach to litigation. It does have a tendency to piss off the judge. And, no judge wants to waste their time handling worthless motions.
But, I have a feeling that this judge is really upset about the apparent disrespect for the opinions of the appellate court in this case. And, it is not just the issue of the States' ability to proceed with the case.
Many of Microsoft's witnesses presented testimony that clearly disagreed with the opinions in the appellate decision.
The most blatant is the falsely fabricated response to the commingling issue.
The commingling issue was clear in the original appellate decision and Microsoft even asked the appellate court to revisit that issue. And, as I recall they appealed to the Supreme Court on that issue as well. It was not taken up a second time by the appellate court (they were already en banc) and it was ignored by the Supreme Court.
So what did Microsoft's lawyers do?
They instructed Gates and at least two other witnesses to claim on the stand under oath that removing icons somehow mysteriously uncommingled the code. Now, I can understand how a simple untrained consumer might confuse icons with commingled code. But, no technologist of any education at all should do so. And, since the fake stories were precisely the same it was clear that the lawyers told Gates and the others what they should say. It was as bad and obvious as the old Perry Mason shows when 3 witnesses strangely came up with the same illogical story. It makes it very clear that it is fabricated to cover the truth. And, the truth in this case is that Microsoft fully intended to fail to honor the decision of the appellate court in regard to commingling of code. No one at Microsoft (including the lawyers) can be so dumb as to think the appellate court was talking about icons when they decided that code commingling was illegal in this case. They simply can not be that dumb.
Code commingling is a key issue in this case. By the way, the States' remedy does not require the sale of a bare bones OS. Even it only requires Microsoft to either unbind the middleware so that it can be removed or offer both a bound and unbound version. The appellate decision is not strong enough to require the OS to be sold separately. For that remedy, we will have to wait for the AOL (Netscape) and SUN law suits which have taken up the tying issue. Those cases have also taken up the attempted monopolization issues.
So, Microsoft's antitrust problems do not end with this remedy by a long shot.
The AOL, BE and SUN law suits are each billion dollar law suits. And, they do not include the consumer class action suits which also reach that magnitude.
The damages in the SUN law suit could reach a billion dollars. The damages in the BE law suit could also reach that level. And, the AOL (netscape) law suit could reach 10 billion or more. And, those law suits could enjoin the bundling of IE and the media player with the OS even if uncommingled.
It may not be a deliberate strategy to goad and provoke the judge but when you do not have a case, that is all you can do.
This last motion was not really that out of line but a bit late and incorrect too.
It is common to make motions even when you think that will loose. If you do not make the motion, you can not appeal on the basis that it was denied. And, no doubt that Microsoft will go back to the appellate court and try to get them to remove the States as plaintiffs.
That is not likely to succeed however. You can read the opinion issued by this judge for the reasons. Too little AND too late as well.
But, what is very clear is that Microsoft will harm consumers and preclude competition without any reserve on its part. Consumers and customers simply do not measure up as being important. They are to be screwed with the forced purchase of Microsoft branded products no matter what.
Even Gates on the stand promised to appeal if he did not get his way with the court. So, Gates will continue to screw consumers as long as he possibly can.
Just remember those days with the 300 baud acoustic units.
ZDnet has taken to deleteing talkback posts that link to sites owned by those they censor.
Censorship is very clear when it is dead obvious.
No doubt.
The GPL is less restrictive than the limits Microsoft places upon its own code. Heck, they do not even let you see it, much less use it in some meaningful way.
But, that is not what drives Microsoft in their FUD effort.
They just bad mouth the GPL because they refuse to compete on price and performance. They know that for many developers the terms of the GPL are acceptable. Not in all cases certainly. But, you do have the choice not to use it. Microsoft restricts you from seeing it.
Micrsoft even lied in court and claimed the GPL was part of the reason that the SUN JVM was not included with XP. (I guess Allchin is ignorant of the fact that SUN does not use the GPL for Java or its JVM. Either that or he simply can not resist lying if it meant to discredit the GPL. Even if GPL was not an issue in the case.)
If you look at the lies put out by Microsoft, it is clear they could care less whether what they say is true or not. If what they say might tend to keep others away from non-Microsoft technology, they lie about it. It is a symptom of a pathetic liar. The reason some liars are pathetic is because they do not care if what they say is true or not. If it will fool, trick or defaud others they think they gain by that. So, out it comes.
And, you see that same lack of concern in the white paper.
They even claimed that developers turn from Netscape to IE in droves because Netscape was too proprietary? Has any product by Microsoft been less proprietary? Certainly not IE. And, that fake report claimed that was open source developers who moved over to IE for that reason.
Funny that the report failed to mention Mozilla. I guess Mozilla is too new for them. It must have occurred after they wrote their fake research, right?
You have got to be kidding.
Netscape in the beginning may have had a proprietary browser but no one I know of ever dropped Netscape in favor of IE because Netscape was proprietary and IE was open.
That report is pure garbage. They lie about basic facts.
No one is more closed about their code than Microsoft. And, suggesting that the open source community flocked to Microsoft because Netscape was proprietary is a joke.
Just where would you be if you slipped in 100 hours of Microsoft proprietary code you got your hands on?
What would that do your 5000 hour product?
The GPL is less disruptive than borrowing other code that comes with limitations.
Besides, if you use code from other sources you certainly should know the impact of doing so. The GPL is not different in that regard.
I guess Microsoft thinks that proprietary code should be outlawed because if it should mistakenly get its way into an application, you could be sued, right?
I am afraid that truth or relevance no longer matters to Microsoft.
What is important is that a so-called independant study bad mouths the GPL. That is the only relevance to this study. It is a study that the Microsoft salesman can use to fool the federal government. And, for the idiots to claim they did this or that because of a study they found.
It does not matter if it is valid. Its mere existance is enough.
Study is just a hack piece I am afraid.
Even Allchin (under oath no less) testified that the GPL was one of the reasons that Microsoft did not include a SUN compliant JVM with XP.
What GPL has to do with a JVM from SUN is beyond me. But, that is the lie that Allchin put out to fool the court. And, the GPL was not even an issue in the trial.
I think Microsoft is just spending any money it can on bad mouthing the ideas it does not like. It does not matter if it is true or even relevant.
Besides, some bureaucrats only need a fake excuse anyway.
This fake study is just like the one a few weeks back bad mouthing linux on mainframes. It does not make any sense except the Microsoft salesman will be sure to refer to it during their sales pitches. After all, customers are assumed to be pretty stupid by Microsoft.
You are not qualified to diagnose an obsessive compulsive disorder.
Asking that laws be complied with is the duty of all in the society and is not any indication at all of a mental disorder as you want to suggest.
Personal insults are just that.
I have a application for potential distribution on a grid of PCs.
It is a game of course. So, if you are not into games, read the next post and save your time.
I have taken a look at the Grid Engine put out by SUN and distributed by SuSe. And, I help out SETI. The use of distributed computers to accomplish a very large computational task is intriging to say the least.
The problem is a difficult one however.
The game relies upon a very large data base of information which is not easy to distribute in the normal sense. The reason is that the game is designed to support many players simultaneously and each of those players may make moves that could affect any collection of that data.
I have done a lot of data base work over the years and I have not come up with a way in which the data base itself could easily be distributed. And, since it is just a game, the idea is to use the client PCs playing the game to provide all the horsepower. That makes it difficult because most of the clustered data base solutions otherwise applied to such a problem would rely upon a series of data base servers. And, in this game, that approach would never work. For one the game runs in real time and 24/7 even if a particular player does not. So, in addition to the normal problem of distributing a data base among many machines, the game must also function when any combination of those machines "go away" for awhile at their own discretion.
Complicating it even further is the fact that the versions of the game to date have placed the entire data base in memory in order to maximize performance. And, that means that transactions that take place are not making SQL calls but rather sharing quick access and quick switching of access to the common data base while the game is underway. And, yes, that kind of action is necessary for the game to be realistic.
If you happen to be interested in a real time, space war game that would rely upon a computer grid of some kind please let me know.
By the way, it will be linux based. Maybe I should say "linux only".
I would not conclude that SETI was a meaningless project.
I will readily admit that to this date we have not heard one peep from other intelligent worlds. However, it is much more likely that we will be in communication with other worlds a very long time before any does any visiting in person.
Maybe some do not care whether we are living on the only planet with intelligent life. And, maybe it will not matter to most people if we discovered we could communicate with others. But, there is absolutely no doubt that such a finding would be the most significant in the history of the human race.
Well SETI be the way to make that discovery? No one knows. But, it makes a lot more sense than sending up astronauts in space ships never to hear from them again. And, then looking for additional volunteers for the next flight. That ain't gona work well.
I do not necessarily disagree with you.
I do find it interesting however that the day or so after the price for StarOffice was announced and Microsoft put up their puff piece about future enhancements to MS Office (vaporware if there ever was any), Microsoft got cremed on the talk back.
Gartner was there with their survey. And, I kindly pointed out that with the 5 install permissions for Star Office an individual user could save over $2000 on day one going with Star Office.
Of course, Microsoft was livid and no doubt called Mr. Dyer to censor my posts. All he could complain about was a simple sinature (same as on here) and something about my not threatening law suits while they continue to take their time deleting offensive posts.
If you had a post deleted, maybe it was an attack. But, my experience has been that offensive posts against myself routinely take 3-4 days to be removed. And, I have repeatedly complained about that. In time there are almost always removed. But, after 3 or 4 days no one is reading the old article and talkback anyway.
Apparently, Mr. Dyer gets offended if you ask him to do his job. If you read his email, he even claims he is being harrassed if you contact him in his capacity as "Community Manager, CNet Networks".
Clearly ZDNet does not want an honest Talkback system. And, clearly CNet does not want any public review of their Community Policies either.
You can read the emails from Mr. Dyer yourself. You have everything I have from him.
I did have one (1) post deleted for being offensive. I told one fellow he looked silly for claiming to know what a document said while at the same time admitting he had not read it. Well. That does make one look rather silly. But, it was deleted anyway and I did not object. They should delete offensive posts. The problem is that they do not apply that policy fairly, accurately or within any reasonable timeframe to be of any value.
And, when you insist they do apply their own standards, they get all huffy and refuse to discuss it.
Claiming they are a tabloid is about right. Some of Mr. Dyer's comments in his email even suggest they engage in censorship and apply their fake Community rules in order to maximize their readership. Well. That alone invalidates TalkBack as being a public forum of any credibility.
They tried for months to simply be slow in deleting offensive posts hoping I would just go away. It was truly an insulting experience. And, when the jerkheads at CNet saw that being lax on their policy against offensive posts was not working, they made up other reasons to ban my posts. Reasons, by the way, which they fail to make clear suggesting it is the end result they seek and do not want to tell anyone the reasons why. The poor guy even mentions email from unidentified individuals as the reason for his policy. This idiot takes orders from unknown people? Or, do you think he is taking orders from people he does know? Either way, it is rather sick.
The illegal acts have not ceased.
The legal actions are not over.
Apparently you think that others should just accept the illegal acts and adopt the corrupt morals of Microsoft?
So you think that everyone who does not approve of Microsoft's illegal conduct has deep emotional issues they should deal with?
Is that what you think?
I guess you did not read the two emails from Mr. Dyer, Community Manager, CNet.
That kind fellow tells others that my posts are highly valued and informative while telling me they are the cause of a drop in readership or a drop in the use of the talkback. So, to pick up things on ZDnet Talkback, censorship needs to be imposed. Read the email from CNet yourself. It is right there on my web site.
Either way, it does not call for censorship. But, neither can they both be true. So clearly CNet is engaged in censorship and they are highly embarrassed by it.
As for the so called deep emotional issues, there aren't any. It is just that I understand the technical issues involved and the harm being caused to consumers and the industry as a whole by the illegal acts Microsoft engages in. And, I detest employees under oath lying through their teeth trying to maintain those illegal acts.
Do you suggest that AOL (Netscape), BE and SUN each have deeply emotional issues to deal with? Do you also suggest that ProComp has deep emotional issues to deal with? Do you think Judge Jackson has deep emotional issues that he should deal with? Do you think that the appellate court has deep emotional issues they should deal with? Do you think that Robert Bork has deep emotional issues to deal with?
Or, do you only intend to insult individuals who happen to think the laws ought to be complied with and comment here?
Not promoting Microsoft and their illegal acts is absolutely not evidence of deep emotional issues. Rather it is indication that one understands all of the issues involved and seriously objects to Microsoft's conduct.
I would suggest that those who look the other way and lie to further Microsoft's interests should be the one consulting with the doctors.
In other words, I am not the one who has a serious problem with the court decisions that have been made to date.
My problem is with the companies that refuse to comply with the federal laws, present false evidence in court and fail to enforce the law when they take a oath to do so.
I guess some people just have to insult others that do not agree with them.
CNet engages in censorship of those not pro-Microsoft.
You think not?
Check out my web site.
My posts have been banned.
But, Mr Dyer, Community Manager for Cnet tells others that he gives great credit to my posts (while there were not being censored) while at the same time he told me the precise opposite.
It is dead obvious that CNet engages in censorship to restore their pro-Microsoft readership. Gosh. Mr. Dyer even wanted to blame me for the drop off in ZDnet readership and Talkback.
I guess CNet thinks that supporting the violation of federal law and banning anyone who objects is good for their business relationship with Microsoft?
Read the emails for yourself. There are all public.
I am not surprised that the reply had to be published somewhere other than ZDNet.
Cnet has recently engaged a policy of censorship intended to increase visitors from pro-Microsoft users.
You think not?
Read my web site. Email from CNet Community Manager, Mr. Dyer pretty tell the same story.
So, if you want an unbiased view you have to avoid Cnet and ZDnet.
Sure but the source code being available makes it relatively simple.
That is why it is flat wrong to conclude the source being present or not is not a factor.
It clearly is a factor. They simply are not equivilent risks. That does not mean you can not adjust for the differences. But, you do have to know what the differences are. And, you have to know how much easier it is when source code is available.
Everyone knows it is easier with the source. That is a given.
Why some want to claim that fact does not exist is beyond me. It does exist. Any one who has done any programming what so ever knows that. And, the fact that source does exists lowers the level of difficulting in carring out some kinds of attacks.
Being possible without the source in no way equates the risk. That would be like saying that hanging a key outside the locked door is no more secure because someone could just pick it anyway.
Security is not an absolute concept at all. It is a relative concept. Suggesting that two unequal risks are the same only avoids the issue and leaves many people thinking they are more secure than they really are.
In security, the very first and most important step is to identify "correctly" what the risks are that you face. If you fail to do that, then you also fail to protect against those risks.
I think you are making the wrong comparison.
.... what if the cleaning lady that comes in at night has full and complete access to the source code for your key custom applications? Would that concern you? What procedures would you put into place such that your exposure is minimized? Yes, the cleaning lady may not be a hacker, but she can get her hands on the Redhat source code. And, what about the guy who replaces the water bottles or restocks the cola machine? Does that fellow have copies of the source code for your custom applications (or OS)?
The security model for an open source OS should be the same as the security model for in-house developed custom applications where source code is also kept.
It is not a matter of blowing off some things if the source is closed.
If however, you do not have the source code (and no one else does either), then you may not need to address those security precautions related directly at source code.
For example: How do you know that no one inside the company has modified your custom apps to permit embezzlement?
Some companies do nothing. And, some companies pay the price for not doing anything. But, most companies of any significance pay close attention to the code that is used to compile their key applications. And, that is because control over that code has been deemed necessary. That does not change just because it is an OS.
There are many similarities in security risks that do not differ because of the source being available or not. But, that observation does not prove that there are not also a number of factors that do differ because of the source. The availability of source does create some risks.
That is why I have to keep saying that you need to look at the procedures you employ for dealing with the custom source code you may have rather than procedures for products on which you do not have source code. And, it is not just whether you have the source. If the source is publicly available, you have it too. And, that presents the problem. You now have to deal with it.
It may be bit of an absurd observation, but
Is this FUD? Well, yes, sort of. But security is based entirely upon FUD anyway. And, when we understand the risk, we do something about it. Many communities do not require residents to lock their back door, right? But, many communities do require that. And, when do the doors get locked? It is when fear, uncertainty and doubt shows up.
This is not something that can not be addressed. It is already addressed with the source code for custom applications we develop in-house. And, that is why that process has to be looked at for the model. Looking at the security model for products on which no one has the source is the wrong approach. And, claiming the security issues are identical between open and closed source is also incorrect. Whether you have the source makes a difference for key applications you develop and/or use. And, the same applies to your OS if you (or anyone else) has the source for it.
And, we need to distinguish between the relative benefits of an open and closed model used for development of technology versus the relative benefits of open and closed models for systems being implemented.
You say, "Source is irrelevant. You think sourceless OS/application suites protects you in some fundamental way. They don't. Others have pointed this out. Though you maintain the difficulty of hacking with a sourceless system, the real world shows that the majority of security exploits occur in closed systems. How do you reconcile this fact with your claims?."
Having access the source is relevant.
It is not a question whether systems with or without source or more or less secure. I do not care about that. In considering appropriate security measures that is also not an issue.
When dealing with security issues you have to address the risk "you actually face". And, if you have the source (or others have the source), the risks are different.
I not not suggest one set of risks is more or less than the other. I only point out the "sets" differ.
Sure, you can attack a system that uses closed source. There is no doubt about that. But, that observation has absolutely nothing to do with the risks associated when the source is readily available. You can do different things with the source. You can do some things much easier with the source.
The point being that when source is available the security issues change. That is why the comparison between custom applications and a customizable OS. You simply do not address the security issues created by open source when making references to security issues on closed source. In other words, there could be absolutely no risks with closed source (not the case, of course) and security risks could still exist on open source. How is that? The OS itself can easily be changed. And, in many shops the process of changing the OS could be an active task. And, when it is an active task, certain risks are associated with that task.
Let me put it this way. There are many ways to carry out embezzlement when employees can alter the systems being used. That clearly does not mean that embezzlement can not be taking place on shrink wrapped software. It clearly can. But, the range of possibilities are different. The amount of trust that must be extended is different. And, the number of people who must be extended trust also differs.
As far as the exploits on closed systems, that issue is not relevant to the risks created by the source being available. They are different risks. And, in security you do not solve one problem by addressing an unrelated one. The risk of someone modifying your OS and installing a bogus copy has absolutely nothing to do with the risk of someone hacking into a close source system. They are different exploits. Protecting against one has no bearing on the other.
Protecting against outside attacks has little bearing upon inside attacks.
As for outside attacks, it might be fair to say that security issues are the same or similar for open and closed systems. (not making a judgment as to which is greater) But, that is not the case for inside attacks that might be carried out by disgruntled employees. Or, simply employees who prefer to embezzle to pad their retirement plans.
For inside attacks access to the source code matters greatly as does many other issues (i.e. access to hardware, etc.).
It is simply false to claim that having the source code does not alter your security considerations. It clearly does. All organizations treat their custom applications differently than they treat shank wrapped ones.
You said, "Not the organizations I work with. So you let anyone who feels like it install shrink wrapped software on your systems? You think this is secure? If not, what is the basis for you claim?"
The selection of software you let users install is a separate issue from how you control access to applications and the associated source code. And, I have never said or even suggested that closed source or shinned wrapped software is more or less secure than open source. All I have pointed out is that when you have the source code (or when everyone else has it), the security issues are a different set. How do they differ?
And, I do not make any claim that closed systems are secure or even more secure. I am only pointing out the risks do in fact differ.
It is much easier for anyone to alter what the software does and replace it on your systems.
For example: If you use the Mozilla browser, could someone in your company modify Mozilla such that a record on the side is kept of passwords used by individuals? Well. If Mozilla code is readily available (and it is), all the code is available (and it is) then what is prevent someone (anyone) from writing a custom version of the Mozilla browser to capture that information BEFORE it is sent over the internet? Or, BEFORE it is secured. This may not be a very good example. But, it simply illustrates that the "set of risks" is different when the source code is available.
The risks are not any different than those associated with the custom applications for which everyone does maintain the source. But, they are different than for those products which do not include source code.
Finally, you said "I'm obviously not going to convince you of anything. The real world shows that open applications and OSes can be very secure. Closed systems can also be secure. Or both can be very insecure. It doesn't help your case that the most dominant closed source OS for the last 10+ years has a long historry of extreme security problems. You can not ignore the real world. Your claims, if believed, would only lead people to chose that particular closed source solution over more secure open solutions. How does this promote security? What, exactly, is your motivation?"
I do know that with the source code being readily available, I (or anyone else) can seriously alter what the OS does. And, that can be accomplished in different ways than if it is not.
Recognizing the particular risks associated with the availability of source code does not decide the issue of which products overall are more secure. Neither does it decide that closed source systems are more secure than open ones. I am not making a final judgment or conclusion. I am simply pointing out that the risks are different.
And, in the real world when the risks are different so too are the appropriate responses to those risks in order to minimize possible damage.
My motivation (assuming it matters) is to encourage the adoption of security protocols that accurately reflect the risks that do exist. That is all. I do not doubt for one minute that real advantages are associated with an open (source) development process. There is no doubt about that. But, once the development is completed and implementation begins the risks associated with open and closed source do in fact differ.
How much do they differ? Or, how must security change because of the differences? Well. It may very depend upon the installation.
But, that is why I suggest that the security should be similar to that for custom in-house developed applications where source code is present. That is the appropriate comparison. The wrong comparison is that with closed source systems.
Hey, I happen to think that open source is great. I love to program. I love to develop applications. I do not intend to customize my OS for use by small numbers of individuals or employees. But, I do understand the risks associated with and created by the common availability of the source code for an OS. The risks are the same as those associated with the source code for any key in-house developed custom application. Not different. They are the same. But, they are different than for closed source software.
This is a management issue not a technical one. Too many claim that there are no security differences between open and closed source. That is simply false. As for outside attacks (once the product is compiled) that might be true. But, when looking at issues surrounding inside attacks the differences need to be understood. The industry knows how to deal with the issues. They are dealt with now and always have been. But, the policies related to in-house developed custom applications for which source code was maintained. And, that is the model that must be looked at.
What security do you impose for the source code for custom applications?
Do you control who gets copies?
Do you control who can change that application and replace it?
Why do you think that security for the source code of your OS is any less important than the security for the source code of your key custom applications?
It is not a question of whether open or closed source results in a more secure system. It is a question of how you administer access to your systems and the source code used to change them.
Without the source code you treat your OS much in the same way you treat your shink wrapped applications. Is that different than how you treat custom in-house applications?
With the source code you should treat your OS much in the same way you treat your code for custom applications. Is that different than how you treat shink wrapped applications?
It is simply false to claim that having the source code does not alter your security considerations. It clearly does. All organizations treat their custom applications differently than they treat shink wrapped ones.
The point here is that it does not change simply because the product is an operating system.
No one I know of has ever claimed that they treat security issues related to custom in-house apps in the same way they treat security issues with shink wrapped applications for which they do not have the source code.
You simply can not ignore the fact that the source code is laying around everywhere. If you do, why do you not simply publish the source code for all your custom in-house applications?
To the outside world, it may not matter. But, security issues are not limited to outside world attacks. Neither can you assume that if security issues are the same regardless of open or closed source in regard to outside attacks that the security issues are also identical for inside attacks.
They simply are not.